PHP checks the Excel file type uploaded

This article introduces a method for detecting upload files at a high end, which can prevent low-end detection errors such as suffix modification. For more information, see, I will encapsulate it into a class for calling the MIME type. When the output result is sent to the browser, the browser must start an appropriate application to process this output document. This can be done through Multipurpose Internet Mail Extensions. In HTTP, the MIME type is defined in the Content-Type header. For example, if the client uploads an Excel file to the server, the MIME type is "application/vnd. MS-excel ". In PHP, you can use $ _ file ["type"] to obtain the upload file type. In the earliest HTTP protocol, there was no additional data type information. All transmitted data was interpreted as HTML documents by the client. to support multimedia data types, the MIME data type information appended to the document is used in the HTTP protocol to identify the data type. Each MIME type consists of two parts: the big data category and the specific type. (You can query mime-type tables)
Disadvantages of file Detection

• File Extension Detection Vulnerability (PS: the file extension can be forged at Will)
• The file MIME type cannot be determined using $ _ FILES ['userfile'] ['type'] (PS: according to the official PHP documentation, this value can be completely forged! Hackers only need to modify the browser's POST request header to bypass this code check and upload any type of files !)

Detection Method (for Excel)

• Use the file extension to determine whether the file is a 03 Excel file or a 07 Excel File
• Obtain the binary data of different files and compare it with file_signature. I cut the binary data graph of Excel in 03 and 07. You can refer to the tool madedit.
• 03 Excel
• 07 Excel (07 refer to zip check)

Detection Program

/** * Detect upload file type *  * @param array $file         * @return bool $flag */private function detectUploadFileMIME($file) {// 1.through the file extension judgement 03 or 07$flag = 0;$file_array = explode ( ".", $file ["name"] );$file_extension = strtolower ( array_pop ( $file_array ) );// 2.through the binary content to detect the fileswitch ($file_extension) {case "xls" :// 2003 excel$fh = fopen ( $file ["tmp_name"], "rb" );$bin = fread ( $fh, 8 );fclose ( $fh );$strinfo = @unpack ( "C8chars", $bin );$typecode = "";foreach ( $strinfo as $num ) {$typecode .= dechex ( $num );}if ($typecode == "d0cf11e0a1b11ae1") {$flag = 1;}break;case "xlsx" :// 2007 excel$fh = fopen ( $file ["tmp_name"], "rb" );$bin = fread ( $fh, 4 );fclose ( $fh );$strinfo = @unpack ( "C4chars", $bin );$typecode = "";foreach ( $strinfo as $num ) {$typecode .= dechex ( $num );}echo $typecode;if ($typecode == "504b34") {$flag = 1;}break;}// 3.return the flagreturn $flag;}

Reference link file type table